Nightly Acceptance Tests & Drift Detection #195
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Nightly Acceptance Tests & Drift Detection" | |
| on: | |
| schedule: | |
| # Runs nightly at 00:30 UTC | |
| - cron: '30 0 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.18' | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Get dependencies | |
| run: go mod download | |
| - name: Build | |
| run: go build -v . | |
| drift: | |
| name: "Drift Detection (TF ${{ matrix.terraform }})" | |
| runs-on: ubuntu-latest | |
| needs: build | |
| strategy: | |
| max-parallel: 1 | |
| fail-fast: false | |
| matrix: | |
| terraform: | |
| - '0.15.5' | |
| - '0.14.11' | |
| - '1.1.2' | |
| - '1.5.3' | |
| env: | |
| TF_VAR_aquasec_url: ${{ secrets.AQUA_URL }} | |
| TF_VAR_aquasec_username: ${{ secrets.AQUA_USER }} | |
| TF_VAR_aquasec_password: ${{ secrets.AQUA_PASSWORD }} | |
| TF_VAR_aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| TF_VAR_aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| TF_VAR_aws_region: ${{ secrets.AWS_REGION }} | |
| TF_VAR_aws_log_group: ${{ secrets.AWS_LOG_GROUP }} | |
| defaults: | |
| run: | |
| working-directory: examples/ | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform ${{ matrix.terraform }} | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ matrix.terraform }} | |
| terraform_wrapper: true | |
| id: setup_tf | |
| - name: Terraform Init | |
| run: terraform init -input=false | |
| - name: Terraform Validate | |
| run: terraform validate | |
| - name: Terraform Fmt Check | |
| run: terraform fmt -check | |
| - name: Terraform Plan (drift detection) | |
| id: plan | |
| run: | | |
| set +e | |
| terraform plan -input=false -detailed-exitcode -out=tfplan.binary | |
| exitcode=$? | |
| echo "exitcode=$exitcode" >> "$GITHUB_OUTPUT" | |
| # exit code 0 = no changes, 2 = changes (drift detected), 1 = error | |
| if [ "$exitcode" -ne 0 ]; then | |
| exit $exitcode | |
| fi | |
| - name: Write result file | |
| run: | | |
| version="${{ matrix.terraform }}" | |
| exitcode="${{ steps.plan.outputs.exitcode }}" | |
| if [ -z "$exitcode" ]; then | |
| exitcode=99 # choose a default, e.g. 99 for unknown | |
| fi | |
| echo "{\"version\":\"${{ matrix.terraform }}\",\"exitcode\":${exitcode}}" \ | |
| > result-drift-${{ matrix.terraform }}.json | |
| - name: Upload result artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: drift-results-${{ matrix.terraform }} | |
| path: examples/result-drift-${{ matrix.terraform }}.json | |
| if-no-files-found: error | |
| acceptance: | |
| name: "Acceptance Tests (TF ${{ matrix.terraform }})" | |
| runs-on: ubuntu-latest | |
| needs: drift | |
| strategy: | |
| max-parallel: 1 | |
| fail-fast: false | |
| matrix: | |
| terraform: | |
| - '0.15.5' | |
| - '0.14.11' | |
| - '1.1.2' | |
| - '1.5.3' | |
| env: | |
| AQUA_URL: ${{ secrets.AQUA_URL }} | |
| AQUA_USER: ${{ secrets.AQUA_USER }} | |
| AQUA_PASSWORD: ${{ secrets.AQUA_PASSWORD }} | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| AWS_LOG_GROUP: ${{ secrets.AWS_LOG_GROUP }} | |
| steps: | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.18' | |
| - name: Check out repo | |
| uses: actions/checkout@v4 | |
| - name: Get dependencies | |
| run: go mod download | |
| - name: Run TF acceptance tests | |
| id: accept_tests | |
| uses: nick-fields/retry@v2 | |
| with: | |
| max_attempts: 2 | |
| timeout_minutes: 15 | |
| command: go test -v -cover ./aquasec/ -timeout 15m | |
| env: | |
| TF_ACC: "1" | |
| TF_ACC_TERRAFORM_VERSION: ${{ matrix.terraform }} | |
| AQUA_URL: ${{ secrets.AQUA_URL }} | |
| AQUA_USER: ${{ secrets.AQUA_USER }} | |
| AQUA_PASSWORD: ${{ secrets.AQUA_PASSWORD }} | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| AWS_LOG_GROUP: ${{ secrets.AWS_LOG_GROUP }} | |
| - name: Write acceptance result file | |
| run: | | |
| version="${{ matrix.terraform }}" | |
| outcome="${{ steps.accept_tests.outcome }}" | |
| # If outcome is empty or weird, default to "unknown" | |
| if [ -z "$outcome" ]; then | |
| outcome="unknown" | |
| fi | |
| result="failure" | |
| if [ "${{ steps.accept_tests.outcome }}" = "success" ]; then | |
| result="success" | |
| fi | |
| echo "{\"version\":\"${{ matrix.terraform }}\",\"result\":\"${result}\"}" \ | |
| > result-acceptance-${{ matrix.terraform }}.json | |
| - name: Debug before upload | |
| run: | | |
| echo "Current directory: $(pwd)" | |
| ls -la . | |
| - name: Upload acceptance result artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: acceptance-results-${{ matrix.terraform }} | |
| path: ./result-acceptance-${{ matrix.terraform }}.json | |
| if-no-files-found: error | |
| notify: | |
| name: "Notify via Teams Webhook" | |
| runs-on: ubuntu-latest | |
| needs: | |
| - drift | |
| - acceptance | |
| if: ${{ always() }} | |
| steps: | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: artifacts | |
| - name: Build and send Teams notification | |
| env: | |
| TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }} | |
| GITHUB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| WORKFLOW_NAME: ${{ github.workflow }} | |
| BRANCH_NAME: ${{ github.ref_name }} | |
| run: | | |
| # Build drift summary | |
| drift_text="" | |
| for file in artifacts/drift-results-*/result-drift-*.json; do | |
| version=$(jq -r .version < "$file") | |
| exitcode=$(jq -r .exitcode < "$file") | |
| if [ "$exitcode" -eq 0 ]; then | |
| drift_text+="✅ TF $version: No drift\n" | |
| elif [ "$exitcode" -eq 2 ]; then | |
| drift_text+="⚠️ TF $version: Drift detected\n" | |
| else | |
| drift_text+="❌ TF $version: Error\n" | |
| fi | |
| done | |
| # Build acceptance summary | |
| acc_text="" | |
| all_passed=true | |
| for file in artifacts/acceptance-results-*/result-acceptance-*.json; do | |
| version=$(jq -r .version < "$file") | |
| result=$(jq -r .result < "$file") | |
| if [ "$result" = "success" ]; then | |
| acc_text+="✅ TF $version: Passed\n" | |
| else | |
| acc_text+="❌ TF $version: Failed\n" | |
| all_passed=false | |
| fi | |
| done | |
| # Set title color based on results | |
| if [ "$all_passed" = true ]; then | |
| theme_color="00FF00" | |
| title="✅ Nightly Tests Passed" | |
| else | |
| theme_color="FF0000" | |
| title="❌ Nightly Tests Failed" | |
| fi | |
| # Send to Teams | |
| curl -H "Content-Type: application/json" -d "{ | |
| \"@type\": \"MessageCard\", | |
| \"@context\": \"http://schema.org/extensions\", | |
| \"themeColor\": \"${theme_color}\", | |
| \"summary\": \"${title}\", | |
| \"sections\": [{ | |
| \"activityTitle\": \"${title}\", | |
| \"facts\": [ | |
| { \"name\": \"Workflow\", \"value\": \"${WORKFLOW_NAME}\" }, | |
| { \"name\": \"Branch\", \"value\": \"${BRANCH_NAME}\" } | |
| ], | |
| \"markdown\": true | |
| }, | |
| { | |
| \"activityTitle\": \"Drift Detection\", | |
| \"text\": \"${drift_text}\" | |
| }, | |
| { | |
| \"activityTitle\": \"Acceptance Tests\", | |
| \"text\": \"${acc_text}\" | |
| }], | |
| \"potentialAction\": [{ | |
| \"@type\": \"OpenUri\", | |
| \"name\": \"View in GitHub\", | |
| \"targets\": [{ \"os\": \"default\", \"uri\": \"${GITHUB_URL}\" }] | |
| }] | |
| }" "${TEAMS_WEBHOOK_URL}" |